How to Accept Payments Online: A 2026 Setup Guide for Businesses

What you actually need to accept payments online

Three pieces have to be in place before a single dollar moves. Most providers (including CoreGateway) bundle them so you sign up once, but it helps to know what each one does in case you ever talk to a processor, a developer, or your accountant.

• A payment gateway. The software layer that captures card data on your checkout, encrypts it, and transmits it to your processor. This is the thing your website or invoice page talks to.
• A merchant account. A specialized bank account underwritten through a sponsor bank that holds card-payment funds before they deposit to your normal business checking account. You need one to accept card payments under your business name.
• A connection to a payment processor. The processor is what actually moves money between the customer’s issuing bank and your merchant account through the card networks.

Aggregator services like PayPal or Stripe combine all three into a single sign-up. That is faster to start, but the trade-off is they reserve the right to freeze funds and close your account with limited recourse. For any business that depends on online payments for real revenue, a dedicated merchant account through a provider like CoreGateway is the more stable path.

Payment gateway vs merchant account: how they fit together

The two terms are constantly used interchangeably. They are not the same thing.

The simplest way to think about it: the merchant account is the “where does the money land” question. The gateway is the “how does the card data get there safely” question. You need both to accept payments online, but you do not have to source them separately.

Step 1: Choose a payment gateway

Most businesses underweight this decision. Switching gateways later means migrating customer payment data, rebuilding integrations, and retraining anyone on your team who works in the dashboard. Time spent comparing options here is time well spent.

The checklist that actually matters in 2026:

• Pricing transparency. Interchange-plus pricing shows each cost component separately. Flat-rate pricing (think 2.9% + $0.30) is simpler to understand but typically more expensive once volume grows.
• Standard features, not add-ons. Many gateways advertise a low base price and charge separately for the customer vault, the card updater, recurring billing, surcharging, and reporting. Once those are added in, the “cheap” gateway often costs more than a transparent one.
• PCI-DSS Level 1 certified. Anything less is a red flag.
• Month-to-month contracts. Reputable modern gateways do not lock you into multi-year deals.
• Real support. A phone number that reaches a human, not a chatbot that loops.

CoreGateway is built around exactly that checklist: interchange-plus pricing, standard features included (vault, card updater, recurring, surcharging, reporting), PCI Level 1, month-to-month, US-based support.

Step 2: Apply for a merchant account and get through underwriting

Once you choose a gateway, applying for the merchant account is a single form. The sponsor bank’s underwriting team reviews your business and decides whether to approve you to accept card payments.

What you will need on hand:

• Legal business name and EIN (or SSN for sole proprietors)
• Business address and a business website if you have one
• Estimated monthly processing volume and average ticket size
• Bank account routing and account numbers for deposit
• Date of birth and home address for the authorized signer (usually the owner or officer)

For most low-risk businesses, underwriting approves within 1 to 3 business days. High-risk industries (CBD, firearms, supplements, certain subscription models) typically take 5 to 10 business days because the bank does more diligence.

Step 3: Build checkout - hosted page, integrated, or API

Three ways to put the gateway in front of your customers. Pick the one that fits how technical your team is and how much PCI scope you want to take on.

Hosted payment page

The customer is redirected to a payment page hosted by the gateway, styled to match your branding. The card data never touches your servers, which keeps your PCI scope at the lowest level (SAQ A). This is the fastest setup - usually a single redirect URL or embedded iframe. Right for businesses that want the simplest deploy and minimal compliance burden.

Best fit: service businesses that need a simple payment portal. A hosted payment page is often the right answer for doctors and medical offices, dentists, veterinarians, law firms, accountants, contractors, plumbers, HVAC, salons, and any service business that bills clients after the work is done. Instead of taking card numbers over the phone (a PCI minefield and a time sink for your front desk), you send the patient or client a link to your branded payment page. They enter the card themselves, pay the invoice on their own time, and your team never has to write down a card number again. For most small service businesses this is the single fastest way to start accepting payments online without rebuilding their website.

Integrated checkout

Card details are entered directly on your site and posted to the gateway via API. The customer never leaves your site, which gives you full control over the checkout experience. The trade-off is higher PCI scope (SAQ A-EP or D depending on the implementation) and more developer work. Right for businesses where the checkout UI is part of the brand.

Direct API for embedded software

SaaS platforms, ERPs, and vertical software embed payments through the gateway’s REST API. CoreGateway has an ISV program built around this pattern. Right for software companies that want to monetize transactions on their platform or build payments deep into a product experience.

Step 4: Turn on recurring billing and the customer vault

If your business has any subscription, payment plan, or repeat-customer pattern, these are the highest-leverage features in your gateway. Turn them on from day one.

Customer vault

The vault stores a token that represents the card, not the card number itself. Your dashboard or system uses the token to charge the customer for future orders without ever holding the raw card. This is what makes one-click reorder, saved payment methods, and recurring billing safe.

Recurring billing schedules

A modern gateway supports flexible schedules (daily, weekly, monthly, quarterly, annual, custom intervals), prorated charges for plan changes, and configurable retry logic when a card declines. CoreGateway’s recurring billing handles all of the above as part of the standard platform.

Automatic Card Updater

When a customer’s card expires or gets replaced, the card networks have a service that pushes the new number to merchants that have a vault token. A gateway with an automatic Card Updater enrolled refreshes the token quietly so the next charge does not fail. For subscription businesses, this prevents a steady drip of recurring revenue lost to expired cards.

Step 5: Plan for refunds and chargebacks before they happen

Every business that takes card payments will have refunds and chargebacks. Setting up your process before the first one shows up means you handle them in 10 minutes instead of 90.

Refunds

Issued through the gateway dashboard or API. The funds return to the customer’s original card, typically arriving in 5 to 10 business days depending on the issuing bank. For subscription businesses, the gateway can also prorate a partial-period refund when a customer cancels mid-month.

Chargebacks

Initiated by the customer through their bank when they dispute a charge. The gateway notifies you, gives you a deadline (usually 7 to 14 days) to respond with evidence, and the card network decides who wins. Three things you should have ready before chargebacks start:

• A clear billing descriptor. The text that appears on the customer’s bank statement should be your business name (or close enough that they recognize it). “I don’t recognize this charge” is the most common chargeback reason and it is almost always a descriptor mismatch.
• Easy contact info on your site. If a customer can email you and get a refund in a day, they will not call their bank.
• Documentation of every order. Date, amount, shipping confirmation (for physical goods), or service-delivery proof (for services). Save this stuff. It is what wins chargeback responses.

How much accepting payments online actually costs

Three components add up to your total cost of accepting payments online.

1. Gateway monthly fee. Typically $10 to $50 per merchant account. CoreGateway’s standard platform is $20 per month.
2. Per-transaction fee. A small percentage plus a flat fee on every approved transaction. CoreGateway uses interchange + 0.50% + $0.15 per transaction.
3. Interchange. Set by the card networks. Varies by card type - debit cards are the cheapest, premium rewards cards are the most expensive, business cards sit in the middle.

Interchange-plus pricing tends to be cheaper than flat-rate (think 2.9% + $0.30) once your monthly volume gets serious, because the processor passes through the actual card-network cost instead of pocketing the spread. Run your own numbers - your gateway provider can give you a comparison based on your real volume and card mix.

The bottom line

Accepting payments online is a five-step process: choose a payment gateway with transparent pricing and standard features included, get approved for a merchant account through underwriting, build checkout the way that fits your team (hosted page, integrated, or API), turn on recurring billing and the customer vault, and set up your refund and chargeback process before you need it.

The decisions that matter long-term are the gateway choice, the pricing model, and whether the features you need are part of the standard platform or sold as add-ons. The application and integration parts are usually fast. The strategic parts are where it pays to slow down.

If you want to walk through how this would look for your business, book a 20-minute demo of CoreGateway. We will show you the dashboard, the API, and the pricing math so you can compare directly against what you have today.